cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911

Analysis

max time kernel
192s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe
Size

5.2MB
MD5

0c93412e943657c187b25874d264175d
SHA1

94ba0646a5f31df3c9cb7973aa92c5506f423cb8
SHA256

cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911
SHA512

eb604cebb21edeb1f444c1ce7a527077ea5c6315fb8c80c354706eef0d842377cda61aaaa1332e6bde1a922fb6c716efd29193e1ee5cbc6ef4a6c7bd53e8c567
SSDEEP

24576:/DyTFtjSDyTFtjZDyTFtjSDyTFtjeDyTFtjtDyTFtjSDyTFtjfDyTFtjSDyTFtjq:YtztCtztHtGtzt8tztHtGtzt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4548	tmp240588453.exe
4324	tmp240589015.exe
3948	tmp240589187.exe
3748	tmp240592750.exe
3484	tmp240613609.exe
4628	tmp240624234.exe
2728	tmp240626656.exe
3980	tmp240627562.exe
1328	notpad.exe
2404	tmp240632875.exe
3716	notpad.exe
4932	tmp240633000.exe
3480	tmp240633218.exe
4088	tmp240633859.exe
4852	notpad.exe
444	tmp240634125.exe
2228	tmp240634171.exe
1932	notpad.exe
4456	tmp240634343.exe
1612	tmp240634359.exe
4592	notpad.exe
4288	tmp240634515.exe
4328	tmp240666000.exe
3540	notpad.exe
2856	tmp240669828.exe
3352	tmp240670062.exe
2844	notpad.exe
1288	tmp240670328.exe
4760	tmp240670421.exe
4788	notpad.exe
1432	tmp240670687.exe
3776	tmp240670781.exe
1880	notpad.exe
4684	tmp240670984.exe
2828	tmp240671062.exe
964	notpad.exe
528	tmp240671281.exe
3408	notpad.exe
3200	tmp240671328.exe
892	tmp240671500.exe
4816	notpad.exe
4988	tmp240671781.exe
2388	tmp240672015.exe
3024	tmp240672171.exe
4924	notpad.exe
2460	tmp240672437.exe
1392	tmp240673203.exe
4940	notpad.exe
3268	tmp240673406.exe
4228	tmp240673656.exe
3124	notpad.exe
1304	tmp240673890.exe
2868	tmp240674015.exe
1176	notpad.exe
2996	tmp240674234.exe
1152	tmp240674312.exe
1732	notpad.exe
3748	tmp240674500.exe
1512	tmp240674562.exe
4732	notpad.exe
4628	tmp240674718.exe
3656	tmp240675031.exe
216	notpad.exe
2168	tmp240675187.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4844-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e13-137.dat	upx
behavioral2/files/0x0006000000022e13-138.dat	upx
behavioral2/memory/4324-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4844-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4324-144-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e17-146.dat	upx
behavioral2/files/0x0007000000022e17-147.dat	upx
behavioral2/memory/3748-148-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4324-149-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1b-154.dat	upx
behavioral2/files/0x0006000000022e1b-155.dat	upx
behavioral2/memory/3748-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4628-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4844-164-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e16-166.dat	upx
behavioral2/files/0x0007000000022e16-167.dat	upx
behavioral2/files/0x0006000000022e14-171.dat	upx
behavioral2/files/0x0007000000022e16-174.dat	upx
behavioral2/memory/1328-175-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3716-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1328-179-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e14-183.dat	upx
behavioral2/memory/3716-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e16-189.dat	upx
behavioral2/files/0x0006000000022e14-193.dat	upx
behavioral2/memory/4852-197-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e16-199.dat	upx
behavioral2/memory/1932-207-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e14-204.dat	upx
behavioral2/files/0x0007000000022e16-209.dat	upx
behavioral2/memory/4592-210-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4592-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e14-215.dat	upx
behavioral2/files/0x0007000000022e16-220.dat	upx
behavioral2/memory/3540-225-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e14-227.dat	upx
behavioral2/memory/3540-229-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e16-231.dat	upx
behavioral2/files/0x0006000000022e14-235.dat	upx
behavioral2/memory/2844-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e16-241.dat	upx
behavioral2/files/0x0006000000022e14-245.dat	upx
behavioral2/memory/4788-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1880-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/964-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3408-261-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4816-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4816-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4924-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4924-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4940-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3124-278-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1176-280-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1176-283-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1732-287-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4732-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/216-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3104-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3892-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2724-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2724-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2412-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3692-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 61 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240676312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240716296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240702218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240632875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240675656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240695187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240697390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240701687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240704968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240720843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240704531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240708375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240588453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240633218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240698562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240698765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240703859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240674500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240704765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240704250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240669828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240675187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240676593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240699625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240701468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240697656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240701906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240703265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240670328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240670984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240674234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240703640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240634125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240701046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240673406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240698937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240705203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240699859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240696703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240703015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240705750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240703453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240705484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240634343.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240671500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240672015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240672437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240696062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240675390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240676062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240699203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240634515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240700812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240701218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240702062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240704062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240670687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240671281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240673890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240674718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240700078.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp240695187.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240696062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240697390.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240588453.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240671281.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240674234.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240674500.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240675390.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240699203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240705484.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240705484.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240674718.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240675656.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240676312.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240698937.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240675187.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240704062.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240703265.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240703453.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240704062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240670328.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240670984.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240673890.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240674500.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240699625.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240698937.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240700812.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240704968.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240588453.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240588453.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240633218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240672437.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240674500.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240705203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240705203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240674234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240674718.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240699203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240634125.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240634343.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240669828.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240670328.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240671500.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240699625.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240701906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240704531.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240702062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240703859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240704250.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240632875.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240634125.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240670687.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240676062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240700078.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240704531.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240633218.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240634125.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240671500.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240697656.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240703640.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240704765.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240634515.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240670984.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240676062.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 61 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240701046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240703453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240703859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240716296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240720843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240676312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240702062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240704531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240671281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240704765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240708375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240588453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240696062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240699203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240671500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240699859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240703265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240705484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240674234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240701218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240701906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240676062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240698937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240704250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240674718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240703640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240705203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240670984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240674500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240698562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240634515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240676593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240695187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240697656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240705750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240700078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240702218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240632875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240633218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240634125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240673890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240697390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240699625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240696703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240701687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240704062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240703015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240704968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240669828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240670687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240673406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240698765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240701468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240634343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240670328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240700812.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4548	4844	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	81
PID 4844 wrote to memory of 4548	4844	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	81
PID 4844 wrote to memory of 4548	4844	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	81
PID 4844 wrote to memory of 4324	4844	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	82
PID 4844 wrote to memory of 4324	4844	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	82
PID 4844 wrote to memory of 4324	4844	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	82
PID 4324 wrote to memory of 3948	4324	tmp240589015.exe	83
PID 4324 wrote to memory of 3948	4324	tmp240589015.exe	83
PID 4324 wrote to memory of 3948	4324	tmp240589015.exe	83
PID 4324 wrote to memory of 3748	4324	tmp240589015.exe	84
PID 4324 wrote to memory of 3748	4324	tmp240589015.exe	84
PID 4324 wrote to memory of 3748	4324	tmp240589015.exe	84
PID 3748 wrote to memory of 3484	3748	tmp240592750.exe	85
PID 3748 wrote to memory of 3484	3748	tmp240592750.exe	85
PID 3748 wrote to memory of 3484	3748	tmp240592750.exe	85
PID 3748 wrote to memory of 4628	3748	tmp240592750.exe	86
PID 3748 wrote to memory of 4628	3748	tmp240592750.exe	86
PID 3748 wrote to memory of 4628	3748	tmp240592750.exe	86
PID 4628 wrote to memory of 2728	4628	tmp240624234.exe	87
PID 4628 wrote to memory of 2728	4628	tmp240624234.exe	87
PID 4628 wrote to memory of 2728	4628	tmp240624234.exe	87
PID 4628 wrote to memory of 3980	4628	tmp240624234.exe	88
PID 4628 wrote to memory of 3980	4628	tmp240624234.exe	88
PID 4628 wrote to memory of 3980	4628	tmp240624234.exe	88
PID 4548 wrote to memory of 1328	4548	tmp240588453.exe	89
PID 4548 wrote to memory of 1328	4548	tmp240588453.exe	89
PID 4548 wrote to memory of 1328	4548	tmp240588453.exe	89
PID 1328 wrote to memory of 2404	1328	notpad.exe	90
PID 1328 wrote to memory of 2404	1328	notpad.exe	90
PID 1328 wrote to memory of 2404	1328	notpad.exe	90
PID 2404 wrote to memory of 3716	2404	tmp240632875.exe	91
PID 2404 wrote to memory of 3716	2404	tmp240632875.exe	91
PID 2404 wrote to memory of 3716	2404	tmp240632875.exe	91
PID 1328 wrote to memory of 4932	1328	notpad.exe	92
PID 1328 wrote to memory of 4932	1328	notpad.exe	92
PID 1328 wrote to memory of 4932	1328	notpad.exe	92
PID 3716 wrote to memory of 3480	3716	notpad.exe	93
PID 3716 wrote to memory of 3480	3716	notpad.exe	93
PID 3716 wrote to memory of 3480	3716	notpad.exe	93
PID 3716 wrote to memory of 4088	3716	notpad.exe	94
PID 3716 wrote to memory of 4088	3716	notpad.exe	94
PID 3716 wrote to memory of 4088	3716	notpad.exe	94
PID 3480 wrote to memory of 4852	3480	tmp240633218.exe	95
PID 3480 wrote to memory of 4852	3480	tmp240633218.exe	95
PID 3480 wrote to memory of 4852	3480	tmp240633218.exe	95
PID 4852 wrote to memory of 444	4852	notpad.exe	96
PID 4852 wrote to memory of 444	4852	notpad.exe	96
PID 4852 wrote to memory of 444	4852	notpad.exe	96
PID 4852 wrote to memory of 2228	4852	notpad.exe	97
PID 4852 wrote to memory of 2228	4852	notpad.exe	97
PID 4852 wrote to memory of 2228	4852	notpad.exe	97
PID 444 wrote to memory of 1932	444	tmp240634125.exe	98
PID 444 wrote to memory of 1932	444	tmp240634125.exe	98
PID 444 wrote to memory of 1932	444	tmp240634125.exe	98
PID 1932 wrote to memory of 4456	1932	notpad.exe	99
PID 1932 wrote to memory of 4456	1932	notpad.exe	99
PID 1932 wrote to memory of 4456	1932	notpad.exe	99
PID 1932 wrote to memory of 1612	1932	notpad.exe	100
PID 1932 wrote to memory of 1612	1932	notpad.exe	100
PID 1932 wrote to memory of 1612	1932	notpad.exe	100
PID 4456 wrote to memory of 4592	4456	tmp240634343.exe	101
PID 4456 wrote to memory of 4592	4456	tmp240634343.exe	101
PID 4456 wrote to memory of 4592	4456	tmp240634343.exe	101
PID 4592 wrote to memory of 4288	4592	notpad.exe	102

C:\Users\Admin\AppData\Local\Temp\cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe
"C:\Users\Admin\AppData\Local\Temp\cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\tmp240588453.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240588453.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\tmp240632875.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240632875.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\tmp240633218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633218.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634125.exe
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634343.exe
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634515.exe
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669828.exe
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670328.exe
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670687.exe
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670984.exe
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671281.exe
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        Executes dropped EXE
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671500.exe
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672015.exe
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672437.exe
        28⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673406.exe
        30⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673890.exe
        32⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674234.exe
        34⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674500.exe
        36⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674718.exe
        38⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675187.exe
        40⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675390.exe
        42⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675656.exe
        44⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676062.exe
        46⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676312.exe
        48⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676593.exe
        50⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695187.exe
        52⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696062.exe
        54⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696703.exe
        56⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697390.exe
        58⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697656.exe
        60⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698562.exe
        62⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698765.exe
        64⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698937.exe
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699203.exe
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699625.exe
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699859.exe
        72⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700078.exe
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700812.exe
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701046.exe
        78⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701218.exe
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        81⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701468.exe
        82⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        83⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701687.exe
        84⤵
        Checks computer location settings
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        85⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701906.exe
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702062.exe
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702218.exe
        90⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703015.exe
        92⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703265.exe
        94⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703453.exe
        96⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703640.exe
        98⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703859.exe
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704062.exe
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704250.exe
        104⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        105⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704531.exe
        106⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704765.exe
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704968.exe
        110⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705203.exe
        112⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705484.exe
        114⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705750.exe
        116⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        117⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708515.exe
        118⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716156.exe
        118⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720703.exe
        119⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724875.exe
        119⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708328.exe
        116⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708375.exe
        117⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        118⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716296.exe
        119⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        120⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720843.exe
        121⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727859.exe
        121⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720656.exe
        119⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724890.exe
        120⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711703.exe
        117⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705562.exe
        114⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705578.exe
        115⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705609.exe
        115⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705218.exe
        112⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705281.exe
        113⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705328.exe
        113⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705015.exe
        110⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705078.exe
        111⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705140.exe
        111⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704796.exe
        108⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704562.exe
        106⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704265.exe
        104⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704078.exe
        102⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703921.exe
        100⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703656.exe
        98⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703468.exe
        96⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703281.exe
        94⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703031.exe
        92⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702828.exe
        90⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702078.exe
        88⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701921.exe
        86⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701703.exe
        84⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701531.exe
        82⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701281.exe
        80⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701062.exe
        78⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700843.exe
        76⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700109.exe
        74⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699906.exe
        72⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699671.exe
        70⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699296.exe
        68⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699015.exe
        66⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698781.exe
        64⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698593.exe
        62⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697703.exe
        60⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697500.exe
        58⤵
        
        PID:504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697218.exe
        56⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696531.exe
        54⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695875.exe
        52⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681562.exe
        50⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676421.exe
        48⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676156.exe
        46⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675890.exe
        44⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675484.exe
        42⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675234.exe
        40⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675031.exe
        38⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674562.exe
        36⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674312.exe
        34⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674015.exe
        32⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673656.exe
        30⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673203.exe
        28⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672171.exe
        26⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671781.exe
        24⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671328.exe
        22⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671062.exe
        20⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670781.exe
        18⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670421.exe
        16⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670062.exe
        14⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666000.exe
        12⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634359.exe
        10⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634171.exe
        8⤵
        Executes dropped EXE
        
        PID:2228
      - C:\Users\Admin\AppData\Local\Temp\tmp240633859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633859.exe
        6⤵
        Executes dropped EXE
        
        PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\tmp240633000.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240633000.exe
      4⤵
      Executes dropped EXE
      PID:4932
- C:\Users\Admin\AppData\Local\Temp\tmp240589015.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240589015.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\tmp240589187.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240589187.exe
    3⤵
    - Executes dropped EXE
    PID:3948
- - C:\Users\Admin\AppData\Local\Temp\tmp240592750.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240592750.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Users\Admin\AppData\Local\Temp\tmp240613609.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240613609.exe
      4⤵
      Executes dropped EXE
      PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\tmp240624234.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240624234.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Users\Admin\AppData\Local\Temp\tmp240626656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626656.exe
        5⤵
        Executes dropped EXE
        
        PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\tmp240627562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627562.exe
        5⤵
        Executes dropped EXE
        
        PID:3980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240588453.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588453.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589015.exe

Filesize
470KB

MD5
445e69fdab59983dd16d8b6a883250fd

SHA1
60868b848296c467aa8963263ca7d85e3786e57e

SHA256
aadd8c840d64d9dffb1af59bdbbfecd6fb5e8b68eb7070b2ac1cb2c33f01898d

SHA512
14d99b4f1c55326861b64d63259cd62fb6a12ce49dfc1cc48c181645334812db95615fdfd5632f5049bed975b9eaf2403005389c492e6b747408c3e31f33a904

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589015.exe

Filesize
470KB

MD5
445e69fdab59983dd16d8b6a883250fd

SHA1
60868b848296c467aa8963263ca7d85e3786e57e

SHA256
aadd8c840d64d9dffb1af59bdbbfecd6fb5e8b68eb7070b2ac1cb2c33f01898d

SHA512
14d99b4f1c55326861b64d63259cd62fb6a12ce49dfc1cc48c181645334812db95615fdfd5632f5049bed975b9eaf2403005389c492e6b747408c3e31f33a904

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589187.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589187.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240592750.exe

Filesize
335KB

MD5
5a9c79aa36b764c745b177eca44ffc38

SHA1
698fc30a496cdb13d820e82ef2eded5b31fc4d39

SHA256
6331de09ae2ca9deef3b73c30c797220defce425fb89c3109a9d7ce7704c18d1

SHA512
6939ac545d3675c15d42cad54675d9c986891ab026aac9ef5e7167d3e509fe4ad895a417e5c3c05613eed6ccd1bf19ebbff0fe710ae2e73eb912b421065ca845

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240592750.exe

Filesize
335KB

MD5
5a9c79aa36b764c745b177eca44ffc38

SHA1
698fc30a496cdb13d820e82ef2eded5b31fc4d39

SHA256
6331de09ae2ca9deef3b73c30c797220defce425fb89c3109a9d7ce7704c18d1

SHA512
6939ac545d3675c15d42cad54675d9c986891ab026aac9ef5e7167d3e509fe4ad895a417e5c3c05613eed6ccd1bf19ebbff0fe710ae2e73eb912b421065ca845

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240613609.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240613609.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240624234.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240624234.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240626656.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240626656.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240627562.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240627562.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240632875.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240632875.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240633000.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240633218.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240633218.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240633859.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240634125.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240634125.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240634171.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240634343.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240634343.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240634359.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240634515.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240634515.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240666000.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240669828.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240669828.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240670062.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240670328.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240670328.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240670421.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240670687.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240670687.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
296KB

MD5
64dc26441d16d0d2c9761c08a1f5fa60

SHA1
2fdeb240241d4e0e131fa1de34173c3d8eb6360e

SHA256
5e86a3a641752af6f89a7ec7add17e347818720aa9051e334eb37ad6ad2bba4e

SHA512
cc662645a655f4e1ee7ff556bf5363377b2789b5f0552f4208906a43970d384c5faa9cc6065b1ca65d753672cbdf06076424146bc630b6f747b1058b648d6942

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
296KB

MD5
64dc26441d16d0d2c9761c08a1f5fa60

SHA1
2fdeb240241d4e0e131fa1de34173c3d8eb6360e

SHA256
5e86a3a641752af6f89a7ec7add17e347818720aa9051e334eb37ad6ad2bba4e

SHA512
cc662645a655f4e1ee7ff556bf5363377b2789b5f0552f4208906a43970d384c5faa9cc6065b1ca65d753672cbdf06076424146bc630b6f747b1058b648d6942

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
296KB

MD5
64dc26441d16d0d2c9761c08a1f5fa60

SHA1
2fdeb240241d4e0e131fa1de34173c3d8eb6360e

SHA256
5e86a3a641752af6f89a7ec7add17e347818720aa9051e334eb37ad6ad2bba4e

SHA512
cc662645a655f4e1ee7ff556bf5363377b2789b5f0552f4208906a43970d384c5faa9cc6065b1ca65d753672cbdf06076424146bc630b6f747b1058b648d6942

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
296KB

MD5
64dc26441d16d0d2c9761c08a1f5fa60

SHA1
2fdeb240241d4e0e131fa1de34173c3d8eb6360e

SHA256
5e86a3a641752af6f89a7ec7add17e347818720aa9051e334eb37ad6ad2bba4e

SHA512
cc662645a655f4e1ee7ff556bf5363377b2789b5f0552f4208906a43970d384c5faa9cc6065b1ca65d753672cbdf06076424146bc630b6f747b1058b648d6942

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
296KB

MD5
64dc26441d16d0d2c9761c08a1f5fa60

SHA1
2fdeb240241d4e0e131fa1de34173c3d8eb6360e

SHA256
5e86a3a641752af6f89a7ec7add17e347818720aa9051e334eb37ad6ad2bba4e

SHA512
cc662645a655f4e1ee7ff556bf5363377b2789b5f0552f4208906a43970d384c5faa9cc6065b1ca65d753672cbdf06076424146bc630b6f747b1058b648d6942

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
296KB

MD5
64dc26441d16d0d2c9761c08a1f5fa60

SHA1
2fdeb240241d4e0e131fa1de34173c3d8eb6360e

SHA256
5e86a3a641752af6f89a7ec7add17e347818720aa9051e334eb37ad6ad2bba4e

SHA512
cc662645a655f4e1ee7ff556bf5363377b2789b5f0552f4208906a43970d384c5faa9cc6065b1ca65d753672cbdf06076424146bc630b6f747b1058b648d6942

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
296KB

MD5
64dc26441d16d0d2c9761c08a1f5fa60

SHA1
2fdeb240241d4e0e131fa1de34173c3d8eb6360e

SHA256
5e86a3a641752af6f89a7ec7add17e347818720aa9051e334eb37ad6ad2bba4e

SHA512
cc662645a655f4e1ee7ff556bf5363377b2789b5f0552f4208906a43970d384c5faa9cc6065b1ca65d753672cbdf06076424146bc630b6f747b1058b648d6942

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
296KB

MD5
64dc26441d16d0d2c9761c08a1f5fa60

SHA1
2fdeb240241d4e0e131fa1de34173c3d8eb6360e

SHA256
5e86a3a641752af6f89a7ec7add17e347818720aa9051e334eb37ad6ad2bba4e

SHA512
cc662645a655f4e1ee7ff556bf5363377b2789b5f0552f4208906a43970d384c5faa9cc6065b1ca65d753672cbdf06076424146bc630b6f747b1058b648d6942

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
296KB

MD5
64dc26441d16d0d2c9761c08a1f5fa60

SHA1
2fdeb240241d4e0e131fa1de34173c3d8eb6360e

SHA256
5e86a3a641752af6f89a7ec7add17e347818720aa9051e334eb37ad6ad2bba4e

SHA512
cc662645a655f4e1ee7ff556bf5363377b2789b5f0552f4208906a43970d384c5faa9cc6065b1ca65d753672cbdf06076424146bc630b6f747b1058b648d6942

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/216-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/316-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1220-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1220-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1244-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1328-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1328-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1512-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1880-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1932-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2128-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2224-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2412-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2532-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2724-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2724-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2728-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2844-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2888-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2904-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3104-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3124-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3408-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3540-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3540-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3596-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3596-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3692-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3692-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3692-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3716-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3716-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3748-148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3748-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3892-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3904-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4264-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4324-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4324-149-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4324-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4592-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4592-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4732-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4788-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4816-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4816-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4844-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4844-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4844-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4852-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4924-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4924-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4940-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4972-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4972-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5076-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5076-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download